As deployment of global IP networks becomes more widespread, there are several challenges faced by users of such networks, such as providing secure access for users. Conventional protocols for providing user security are inadequate.
For example, as illustrated in FIG. 1, a typical communication system 10 may include a mobile node 12 positioned within a foreign domain 14 that is serviced by a foreign agent 16. The foreign agent 16 may be operably coupled to the mobile node 12 and a home agent 18 that services a home domain 20 by communication pathways, 22 and 24, respectively. Communication between the mobile node 12, foreign agent 16, and home agent 18 may be provided by a conventional IP communications protocol such as, for example, TCP/IP.
During operation, the mobile node 12 may roam over the foreign domain 14. In order to securely communicate messages between the mobile node 12 and the home agent 18, a secure communication pathway should be provided between the mobile node and the foreign agent and between the foreign agent and the home agent. One method of providing a secure communication pathway between the mobile node 12 and the home agent 18 is to encrypt communications between the mobile node and home agent using one or more shared secrets, or encryptions keys. However, conventional methods of providing such encryption keys suffer from a number of serious drawbacks.
For example, in order to provide a secure communication pathway between the mobile node 12 and the foreign agent 16, a predefined shared secret, or encryption key, could be used to provide secure communications over the communications pathway 24. However, in order to permit secure communications between the mobile node 12 and all possible foreign agents, a virtually infinite number of predefined shared secrets, or encryption keys, would be required for every potential mobile node/foreign agent relationship. Such a static method of providing encryption keys is highly impractical.
Alternatively, an encryption key for communications between the mobile node 12 and the foreign agent 16 could be provided by using a public key authentication or a digital signature. However, both of these methods rely upon a preexisting secure communication pathway between the mobile node 12 and an IKE or PKI provider and therefore are inefficient from the standpoint of time and cost.
Thus, existing methods for providing secure communications in a communication network do not permit the security associations between the entities in the network to be dynamically configured, renewed, or reset. Furthermore, the existing methods for providing secure communications in a communication network are slow and inefficient.
The present invention is directed to improving user security in communication networks.